Method for restoring public key based on SM2 signature

ABSTRACT

Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for recovering and verifying a public key. One of the methods includes accepting information encoding parameters of an elliptic curve, a published public key, a hash value of a message, a digital signature, and an identification parameter; generating a recovered public key based on the parameters of the elliptic curve, the hash value of the message, the digital signature, and the identification parameter; comparing the published public key and the recovered public key to verify the published public key.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of PCT Application No.PCT/CN2019/089602, filed on May 31, 2019, which is hereby incorporatedby reference in its entirety.

TECHNICAL FIELD

This specification relates to public key infrastructure in the contextof blockchain technology.

BACKGROUND

Distributed ledger systems (DLSs), which can also be referred to asconsensus networks, and/or blockchain networks, enable participatingentities to securely, and immutably store data. DLSs are commonlyreferred to as blockchain networks without referencing any particularuser case. Examples of types of blockchain networks can include publicblockchain networks, private blockchain networks, and consortiumblockchain networks. A consortium blockchain network is provided for aselect group of entities, which control the consensus process, andincludes an access control layer. The blockchain technology wasoriginally designed as a special distributed database technology forbitcoin (a digital currency). It is suitable for storing simple,sequential data that can be verified in the system, using cryptographyand consensus algorithms to ensure that the data cannot be falsified andunforgeable.

“Digital identity” refers to the condensing of real identity informationinto a digital code, which can include a public key to be queried andidentified through a network or related devices. Once generatedaccording to the private key of a user, the digital identity of the usercan be verified by other people on the network. This paradigm isreferred to as the public key infrastructure, which operates anasymmetric cryptosystem premised on a pair of a public key and a privatekey. In this paradigm, a private key is the key that the entitymaintains itself and only the entity itself knows. The public key, onthe other hand, can be publicized.

It would be desirable to achieve faster restoration and verification ofa public key associated with a digital identity presented by a sender toa receiver to improve trusted transactions in a distributed computingenvironment such as a blockchain network.

SUMMARY

This specification describes technologies for recovering and verifying apublic key in the context of a blockchain network. These technologiesgenerally involve extracting information from a message transmitted overthe blockchain network, recovering a public key from the information,and comparing the public key as recovered with an already publishedpublic key to determine the veracity of the public key. In particular,the information extracted from the message includes an identificationparameter in addition to a hash value of the message, a digitalsignature embedded by the transmitter of the message, and parameters ofan elliptic curve. By virtue of the identification parameter, someembodiments can expeditiously recover the public key based on theinformation as extracted. In these embodiments, the elliptic curvedigital signature algorithm (ECDSA) is generally used to achievecomparable encryption results as the Rivest-Shamir-Adleman (RSA)algorithms, but with fewer bits.

This specification also provides one or more non-transitorycomputer-readable storage media coupled to one or more processors andhaving instructions stored thereon which, when executed by the one ormore processors, cause the one or more processors to perform operationsin accordance with embodiments of the methods provided herein.

This specification further provides a system for implementing themethods provided herein. The system includes one or more processors, anda computer-readable storage medium coupled to the one or more processorshaving instructions stored thereon which, when executed by the one ormore processors, cause the one or more processors to perform operationsin accordance with embodiments of the methods provided herein.

It is appreciated that methods in accordance with this specification mayinclude any combination of the aspects and features described herein.That is, methods in accordance with this specification are not limitedto the combinations of aspects and features specifically describedherein, but also include any combination of the aspects and featuresprovided.

The details of one or more embodiments of this specification are setforth in the accompanying drawings and the description below. Otherfeatures and advantages of this specification will be apparent from thedescription and drawings, and from the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating an example of an environment that canbe used to execute embodiments of this specification.

FIG. 2 is a diagram illustrating an example of an architecture inaccordance with embodiments of this specification.

FIG. 3 is a diagram illustrating an example of a process that can beexecuted for generating a digital signature using the elliptic curvedigital signature algorithm (ECDSA) in accordance with embodiments ofthis specification.

FIG. 4 is a diagram illustrating an example of a process that can beexecuted for verifying a digital signature using the elliptic curvedigital signature algorithm (ECDSA) in accordance with embodiments ofthis specification.

FIG. 5 is a diagram illustrating an example of a process that can beexecuted for recovering a public key using the elliptic curve digitalsignature algorithm (ECDSA) in accordance with embodiments of thisspecification.

FIG. 6 is a diagram illustrating an example of a process that can beexecuted for verifying a public key using the elliptic curve digitalsignature algorithm (ECDSA) in accordance with embodiments of thisspecification.

FIG. 7 is a diagram illustrating an example of a process that can beexecuted for generating a digital signature and an identificationparameter using the elliptic curve digital signature algorithm (ECDSA)in accordance with embodiments of this specification.

FIG. 8 is a diagram illustrating another example of a process that canbe executed for verifying a public key using the elliptic curve digitalsignature algorithm (ECDSA) in accordance with embodiments of thisspecification.

FIG. 9 depicts examples of modules of an apparatus in accordance withembodiments of this specification.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION

This specification describes technologies for improved recovery andverification of a public key in the context of a blockchain network. Forcontext, a blockchain network can incorporate a public keyinfrastructure (PKI) in which a sender can use the sender's private keyfor encryption while a receiver can use the sender's public key fordecryption. Under PKI, the sender's public key and private key form aunique pair. Although the sender keeps the private key private so thatno one else knows about it, the public key can be published. This allowsinformation to be encrypted using one of the keys and the other of thepair is used for decryption. In this context, this specificationincorporates, for example, elliptic curve algorithms for implementingthe PKI for a blockchain network.

Some embodiments allow a public key to be restored by generating arecoverable public key signature. By incorporating the calculation logicof an identification parameter into a public key generating process inthe elliptic curve digital signature algorithm (ECDSA), the outputdigital signature can be accompanied by the identification parameter. Insome cases, the identification parameter can be used to efficientlyrestore the public key. Additionally or alternatively, some cases allowthe restoration process to traverse all likely instances of theidentification parameter until a verifiable public key is restored.

In more detail, these embodiments generally involve extractinginformation from a message transmitted over the blockchain network bythe sender, recovering a public key from the information, and verifyingthe public key as recovered. In particular, the information extractedfrom the message can include an identification parameter in addition toa hash value of the message, a digital signature embedded by thetransmitter of the message, and parameters of an elliptic curve. Thepresence of the identification parameter allows recovery of the publickey based on the information as extracted through simple comparisonsteps. More details are described below with reference to FIGS. 1 to 9.

To provide further context for embodiments of this specification, and asintroduced above, distributed ledger systems (DLSs), which can also bereferred to as consensus networks (e.g., made up of peer-to-peer nodes),and blockchain networks, enable participating entities to securely, andimmutably conduct transactions, and store data. Although the termblockchain is generally associated with particular networks, and/or usecases, blockchain is used herein to generally refer to a DLS withoutreference to any particular use case.

A blockchain is a data structure that stores transactions in a way thatthe transactions are immutable. Thus, transactions recorded on ablockchain are reliable and trustworthy. A blockchain includes one ormore blocks. Each block in the chain is linked to a previous blockimmediately before it in the chain by including a cryptographic hash ofthe previous block. Each block also includes a timestamp, its owncryptographic hash, and one or more transactions. The transactions,which have already been verified by the nodes of the blockchain network,are hashed and encoded into a Merkle tree. A Merkle tree is a datastructure in which data at the leaf nodes of the tree is hashed, and allhashes in each branch of the tree are concatenated at the root of thebranch. This process continues up the tree to the root of the entiretree, which stores a hash that is representative of all data in thetree. A hash purporting to be of a transaction stored in the tree can bequickly verified by determining whether it is consistent with thestructure of the tree.

Whereas a blockchain is a decentralized or at least partiallydecentralized data structure for storing transactions, a blockchainnetwork is a network of computing nodes that manage, update, andmaintain one or more blockchains by broadcasting, verifying andvalidating transactions, etc. As introduced above, a blockchain networkcan be provided as a public blockchain network, a private blockchainnetwork, or a consortium blockchain network. Embodiments of thisspecification are described in further detail herein with reference to aconsortium blockchain network. It is contemplated, however, thatembodiments of this specification can be realized in any appropriatetype of blockchain network.

In general, a consortium blockchain network is private among theparticipating entities. In a consortium blockchain network, theconsensus process is controlled by an authorized set of nodes, which canbe referred to as consensus nodes, one or more consensus nodes beingoperated by a respective entity (e.g., a financial institution,insurance company). For example, a consortium of ten (10) entities(e.g., financial institutions, insurance companies) can operate aconsortium blockchain network, each of which operates at least one nodein the consortium blockchain network.

In some examples, within a consortium blockchain network, a globalblockchain is provided as a blockchain that is replicated across allnodes. That is, all consensus nodes are in perfect state consensus withrespect to the global blockchain. To achieve consensus (e.g., agreementto the addition of a block to a blockchain), a consensus protocol isimplemented within the consortium blockchain network. For example, theconsortium blockchain network can implement a practical Byzantine faulttolerance (PBFT) consensus, described in further detail below.

FIG. 1 is a diagram illustrating an example of an environment 100 thatcan be used to execute embodiments of this specification. In someexamples, the environment 100 enables entities to participate in aconsortium blockchain network 102. The environment 100 includescomputing devices 106, 108, and a network 110. In some examples, thenetwork 110 includes a local area network (LAN), wide area network(WAN), the Internet, or a combination thereof, and connects web sites,user devices (e.g., computing devices), and back-end systems. In someexamples, the network 110 can be accessed over a wired and/or a wirelesscommunications link. In some examples, the network 110 enablescommunication with, and within the consortium blockchain network 102. Ingeneral the network 110 represents one or more communication networks.In some cases, the computing devices 106, 108 can be nodes of a cloudcomputing system (not shown), or each computing device 106, 108 can be aseparate cloud computing system including a number of computersinterconnected by a network and functioning as a distributed processingsystem.

In the depicted example, the computing systems 106, 108 can each includeany appropriate computing system that enables participation as a node inthe consortium blockchain network 102. Examples of computing devicesinclude, without limitation, a server, a desktop computer, a laptopcomputer, a tablet computing device, and a smartphone. In some examples,the computing systems 106, 108 host one or more computer-implementedservices for interacting with the consortium blockchain network 102. Forexample, the computing system 106 can host computer-implemented servicesof a first entity (e.g., user A), such as a transaction managementsystem that the first entity uses to manage its transactions with one ormore other entities (e.g., other users). The computing system 108 canhost computer-implemented services of a second entity (e.g., user B),such as a transaction management system that the second entity uses tomanage its transactions with one or more other entities (e.g., otherusers). In the example of FIG. 1, the consortium blockchain network 102is represented as a peer-to-peer network of nodes, and the computingsystems 106, 108 provide nodes of the first entity, and second entityrespectively, which participate in the consortium blockchain network102.

FIG. 2 depicts an example of an architecture 200 in accordance withembodiments of this specification. The example conceptual architecture200 includes participant systems 202, 204, 206 that correspond toParticipant A, Participant B, and Participant C, respectively. Eachparticipant (e.g., user, enterprise) participates in a blockchainnetwork 212 provided as a peer-to-peer network including a plurality ofnodes 214, at least some of which immutably record information in ablockchain 216. Although a single blockchain 216 is schematicallydepicted within the blockchain network 212, multiple copies of theblockchain 216 are provided, and are maintained across the blockchainnetwork 212, as described in further detail herein.

In the depicted example, each participant system 202, 204, 206 isprovided by, or on behalf of Participant A, Participant B, andParticipant C, respectively, and functions as a respective node 214within the blockchain network. As used herein, a node generally refersto an individual system (e.g., computer, server) that is connected tothe blockchain network 212, and enables a respective participant toparticipate in the blockchain network. In the example of FIG. 2, aparticipant corresponds to each node 214. It is contemplated, however,that a participant can operate multiple nodes 214 within the blockchainnetwork 212, and/or multiple participants can share a node 214. In someexamples, the participant systems 202, 204, 206 communicate with, orthrough the blockchain network 212 using a protocol (e.g., hypertexttransfer protocol secure (HTTPS)), and/or using remote procedure calls(RPCs).

Nodes 214 can have varying degrees of participation within theblockchain network 212. For example, some nodes 214 can participate inthe consensus process (e.g., as minder nodes that add blocks to theblockchain 216), while other nodes 214 do not participate in theconsensus process. As another example, some nodes 214 store a completecopy of the blockchain 216, while other nodes 214 only store copies ofportions of the blockchain 216. For example, data access privileges canlimit the blockchain data that a respective participant stores withinits respective system. In the example of FIG. 2, the participant systems202, 204 store respective, complete copies 216′, 216″ of the blockchain216.

A blockchain (e.g., the blockchain 216 of FIG. 2) is made up of a chainof blocks, each block storing data. Examples of data include transactiondata representative of a transaction between two or more participants.While transactions are used herein by way of non-limiting example, it iscontemplated that any appropriate data can be stored in a blockchain(e.g., documents, images, videos, audio). Examples of a transaction caninclude, without limitation, exchanges of something of value (e.g.,assets, products, services, currency). The transaction data is immutablystored within the blockchain. That is, the transaction data cannot bechanged.

Before storing in a block, the transaction data is hashed. Hashing is aprocess of transforming the transaction data (provided as string data)into a fixed-length hash value (also provided as string data). It is notpossible to un-hash the hash value to obtain the transaction data.Hashing ensures that even a slight change in the transaction dataresults in a completely different hash value. Further, and as notedabove, the hash value is of fixed length. That is, no matter the size ofthe transaction data the length of the hash value is fixed. Hashingincludes processing the transaction data through a hash function togenerate the hash value. An example of a hash function includes, withoutlimitation, the secure hash algorithm (SHA)-256, which outputs 256-bithash values.

Transaction data of multiple transactions are hashed and stored in ablock. For example, hash values of two transactions are provided, andare themselves hashed to provide another hash. This process is repeateduntil, for all transactions to be stored in a block, a single hash valueis provided. This hash value is referred to as a Merkle root hash, andis stored in a header of the block. A change in any of the transactionswill result in change in its hash value, and ultimately, a change in theMerkle root hash.

Blocks are added to the blockchain through a consensus protocol.Multiple nodes within the blockchain network participate in theconsensus protocol, and perform work to have a block added to theblockchain. Such nodes are referred to as consensus nodes. PBFT,introduced above, is used as a non-limiting example of a consensusprotocol. The consensus nodes execute the consensus protocol to addtransactions to the blockchain, and update the overall state of theblockchain network.

In further detail, the consensus node generates a block header, hashesall of the transactions in the block, and combines the hash value inpairs to generate further hash values until a single hash value isprovided for all transactions in the block (the Merkle root hash). Thishash is added to the block header. The consensus node also determinesthe hash value of the most recent block in the blockchain (i.e., thelast block added to the blockchain). The consensus node also adds anonce value, and a timestamp to the block header.

In general, PBFT provides a practical Byzantine state machinereplication that tolerates Byzantine faults (e.g., malfunctioning nodes,malicious nodes). This is achieved in PBFT by assuming that faults willoccur (e.g., assuming the existence of independent node failures, and/ormanipulated messages sent by consensus nodes). In PBFT, the consensusnodes are provided in a sequence that includes a primary consensus node,and backup consensus nodes. The primary consensus node is periodicallychanged, Transactions are added to the blockchain by all consensus nodeswithin the blockchain network reaching an agreement as to the worldstate of the blockchain network. In this process, messages aretransmitted between consensus nodes, and each consensus nodes provesthat a message is received from a specified peer node, and verifies thatthe message was not modified during transmission.

In PBFT, the consensus protocol is provided in multiple phases with allconsensus nodes beginning in the same state. To begin, a client sends arequest to the primary consensus node to invoke a service operation(e.g., execute a transaction within the blockchain network). In responseto receiving the request, the primary consensus node multicasts therequest to the backup consensus nodes. The backup consensus nodesexecute the request, and each sends a reply to the client. The clientwaits until a threshold number of replies are received. In someexamples, the client waits for f+1 replies to be received, where f isthe maximum number of faulty consensus nodes that can be toleratedwithin the blockchain network. The final result is that a sufficientnumber of consensus nodes come to an agreement on the order of therecord that is to be added to the blockchain, and the record is eitheraccepted, or rejected.

In some blockchain networks, cryptography is implemented to maintainprivacy of transactions. For example, if two nodes want to keep atransaction private, such that other nodes in the blockchain networkcannot discern details of the transaction, the nodes can encrypt thetransaction data. An example of cryptography includes, withoutlimitation, symmetric encryption, and asymmetric encryption. Symmetricencryption refers to an encryption process that uses a single key forboth encryption (generating ciphertext from plaintext), and decryption(generating plaintext from ciphertext). In symmetric encryption, thesame key is available to multiple nodes, so each node can en-/de-crypttransaction data.

Asymmetric encryption uses keys pairs that each include a private key,and a public key, the private key being known only to a respective node,and the public key being known to any or all other nodes in theblockchain network. A node can use the public key of another node toencrypt data, and the encrypted data can be decrypted using other node'sprivate key. For example, and referring again to FIG. 2, Participant Acan use Participant B's public key to encrypt data, and send theencrypted data to Participant B. Participant B can use its private keyto decrypt the encrypted data (ciphertext) and extract the original data(plaintext). Messages encrypted with a node's public key can only bedecrypted using the node's private key.

Asymmetric encryption is used to provide digital signatures, whichenables participants in a transaction to confirm other participants inthe transaction, as well as the validity of the transaction. Forexample, a node can digitally sign a message, and another node canconfirm that the message was sent by the node based on the digitalsignature of Participant A. Digital signatures can also be used toensure that messages are not tampered with in transit. For example, andagain referencing FIG. 2, Participant A is to send a message toParticipant B. Participant A generates a hash of the message, and then,using its private key, encrypts the hash to provide a digital signatureas the encrypted hash. Participant A appends the digital signature tothe message, and sends the message with digital signature to ParticipantB. Participant B decrypts the digital signature using the public key ofParticipant A, and extracts the hash. Participant B hashes the messageand compares the hashes. If the hashes are same, Participant B canconfirm that the message was indeed from Participant A, and was nottampered with.

The asymmetric cryptography described above can incorporate the ellipticcurve digital signature algorithm (ECDSA) to achieve comparableencryption results as the Rivest-Shamir-Adleman (RSA) algorithms, butwith fewer bits. For example, an exemplary RSA 2048-bit public keyprovides a security level of 112 bits. However, ECDSA may only need224-bit sized public keys to provide the same 112-bit security level.Smaller key sizes can lead to less bandwidth to set up, for example, asecure socket layer/transport layer security (SSL/TLS) stream over theblockchain network, which means that ECDSA certificates can be moreadvantageous for mobile applications. Moreover, such certificates can bestored into devices with much more limiting memory constraints, a factthat allows TLS stacks to be implemented in Internet of Things (IoT)devices without allocating many resources. In many applications over theblockchain network, when a message is received from a sender, it becomesdesirable for the receiver to efficiently restore and verify thesender's public key based on the information received.

Referring to FIGS. 3 and 4, diagrams for generating a digital signatureusing the elliptic curve digital signature algorithm (ECDSA) and forverifying a digital signature using the elliptic curve digital signaturealgorithm (ECDSA) in accordance with embodiments of this specificationare described. As illustrated by process 300 for generating a digitalsignature, initial data values are received which can incorporateelliptic curve parameters, a hash value (e) of the message (M) fortransmitting by the sender, and a private key (d_(A)) of the sender(user A) (302). Here, the elliptic curve parameters can include: thesize q of a finite field Fq (when q=2^(m), also including basisrepresentation and irreducible polynomial); the two elements a and b (inthis finite field Fq) which define the elliptic curve equation; the basepoint G=(x_(G), y_(G)), where x_(G) and y_(G) are elements in Fq; thedegree n of G; and others. Process 300 then proceeds to computing anoutput signature that encompasses a first parameter r and a secondparameter s (303), which may involve four steps, namely steps 1 to 4, asdescribed in more detail below. At step 1, a random number k E [1,n−1]is generated using a random number generator (304). The number n here isa prime number corresponding to the degree of a base point G, ascharacterized by parameters of the elliptic curve. At step 2, theelliptic curve point is computed according to (x₁, y₁)=[k] G, and thenthe data type of x₁ is converted to an integer (306). Here, (x₁, y₁)represents a coordinate point on the elliptic curve, [k] G represents kmultiples of point G over the elliptic curve, and G represents a basepoint on the elliptic curve. At step 3, a parameter r is computedaccording: r=(e+x₁) mod n (308). Here, e is the hash value of themessage M to be transmitted by the sender, and mod means a modulooperation. Next, a determination is made regarding if r equals 0 or r+kequals to n (310). If the result is yes, the process returns to step 1.If the result is no, the process proceeds to step 4 in which a secondparameter s is computed according to: s=((1+d_(A))⁻¹ (k−r*d_(A))) mod n(312). Here, the ⁻¹ operator signifies an inverse operation in which theresult is the inverse under modulo n; and r*d_(A) represents a modularmultiplication. Next, a determination is made regarding if s equals to 0(314). If the result is yes, the process returns to step 1. If theresult is no, the process proceeds to returning and outputting a digitalsignature that includes the first parameter r and the second parameter s(316).

As illustrated by process 400 for restoring a public key on the receiverside (referred to as user B), initial input data is received thatincludes elliptic curve parameters, a public key published as P_(A), ahash value e of the message from the sender, and a digital signatureencompassing a first parameter r and a second parameter s (402). Process400 then proceeds to restoring and verifying the public key through fivesteps, namely steps 1 to 5, as described in more detail below. At step1, process 400 determines whether r ∈[1, n−1] is true (404). Here, thefirst parameter r of the digital signature is checked against the rangeof from 1 to n−1, where 1 is the lower limit of the range and ncharacterizes the upper limit of the range (404A). If r is not withinthe range, the verification will not pass (413B). Next, at step 2,process 400 determines whether s ∈[1, n−1] is true (405). Here, thesecond parameter s of the digital signature is checked against the rangeof from 1 to n−1, where 1 is the lower limit of the range and ncharacterizes the upper limit of the range (405A). Ifs is not within therange, the verification will not pass (413B). At step 3, a parameter tis computed as (r+s) mod n (406). Here, a determination is made as towhether t equals to 0 (407). If so, the verification fails (413). Ifnot, process 400 proceeds to computing the elliptic curve point that ispresented as (x₁, y₁) and computed as [s]G+[t]P_(A) (408). Here, Grepresents a base point on the elliptic curve and P_(A) represents thepublished public key of user A (sender). At step 5, a variable R iscomputed as: (e+x₁) mod n, (410), signifying a modulo operation. Here, adetermination is made as to whether R equals to r is true (412). If Rand r match, the verification is passed (413A); otherwise, theverification fails (413B).

FIG. 5 is a diagram illustrating an example of a process 500 that can beexecuted for recovering a public key by using the elliptic curve digitalsignature algorithm (ECDSA) that incorporates an identificationparameter in accordance with embodiments of this specification. Theinitial input data received includes elliptic curve parameters, a hashvalue e of the message M from the sender (user A), and a signatureencompassing a first parameter r and a second parameter s, and anidentification parameter v (502). Process 500 then proceeds to restoringand verifying the public key through six steps, namely steps 1 to 6, asdescribed in more detail below (503). At step 1, process 500 determineswhether r ∈[1, n−1] is true (504). Here, the first parameter r of thedigital signature is checked against the range of from 1 to n−1, where 1is the lower limit of the range and n characterizes the upper limit ofthe range (504A). As described above, n is a prime number and is alsothe degree of the base point G on the elliptic curve. If r is not withinthe range, the verification will not pass and an error report issues(518). Next, at step 2, process 500 determines whether s ∈[1, n−1] istrue (505). Here, the second parameter s of the digital signature ischecked against the range of from 1 to n−1, where 1 is the lower limitof the range and n characterizes the upper limit of the range (505A). Ifs is not within the range, the verification will not pass and an errorreport issues (518). At step 3, a first coordinate parameter x₁ iscomputed as x₁=(r−e) mod n (506). Here, mod n represents a modulooperation. A determination is made as to whether a lower bit of theidentification parameter v, v₀ equals 1 (407). If so, x₁ remains at thecurrent value; otherwise x₁ is calculated x₁=x₁+n, as shown in step 4(508). This calculation enforces that x₁ is range bounded. At step 5,the square roots y of the modulus p are calculated according to: y₁ ²=x₁³+ax+b (509). There, parameters a and b are determined by the ellipticcurve parameters. A determination is made as to whether the square rootsexist (510). If the determination is no, then an error report issues(518). If the square roots exist, the root that corresponds to an oddnumber is set as y and the root that corresponds to an even number isset as p−y (511). Here, p is one parameter of the elliptic curve. As aprime number, p satisfies: (p−y)²=(p²−2py+y²)=y² mod p. A determinationis then made as to whether a higher bit of the identification parameterv, v₁ equals to 1 (512). In response to determining that v₁ equals to 1,y₁ is set to an odd number of the two available roots (513A); otherwise,y₁ is set to an even number of the two available roots (513B). Process500 then proceeds to set the elliptic curve point as represented by thecoordinate point of P=(x₁, y₁) (515). In step 6, the calculated publickey is restored: P_(A)=(s+r)⁻¹ (P−[s] G) (516). Here, G represents abase point on the elliptic curve, [s] G represents s multiple of G overthe elliptic curve. At step 7, the calculated public key P_(A) isreturned as the restored public key of user A (sender).

FIG. 6 is a diagram illustrating an example of a process 600 that can beexecuted for restoring and verifying a public key using the ellipticcurve digital signature algorithm (ECDSA) in accordance with embodimentsof this specification. Initial input data is received that includeselliptic curve parameters, a public key published as P_(A), a hash valuee of the message from user A (sender) to be signed, and a private keyd_(A) of user A (sender) (602). Process 600 then proceeds to restoringand verifying the public key (603), as described in the following threesteps. At step 1, the first and second parameters (r, s) of a digitalsignature are obtained by invoking a process as described by FIG. 3(steps 302 to 316). At step 2, a public key P_(A) is computed from theprivate key d_(A) (606). This computation can generally follow theasymmetric cryptograph paradigm under PKI. Next, process 600 traversesall likely instances of the 2-bit identification parameter v (607). Atstep 3, each iteration during the traversal includes calling thesignature recovery public key process (as illustrated in FIGS. 5 (502 to518)) to obtain the public key P_(A)′ (608). A determination is made asto whether P_(A) equal P_(A)′ (609). If the two matches, process 600 canoutput a digital signature (that includes the first parameter r and thesecond parameter s) accompanied by the identification parameter v. Thiscombination may be referred to as the recoverable public key digitalsignature, annotated by (r, s, v). If the two do not match, process 600may proceed to check out the next likely instance for the identificationparameter v (607). If all instances of the identification parameter vare checked and nothing matches, process 600 may report error (611).

FIG. 7 is a diagram illustrating an example of a process 700 that can beexecuted for generating a digital signature and an identificationparameter using the elliptic curve digital signature algorithm (ECDSA)in accordance with embodiments of this specification. The initial inputdata received includes elliptic curve parameters, a public key publishedas PA, a hash value e of the message from the sender (user A), and asignature encompassing a first parameter r and a second parameter s, andan identification parameter v (702). Process 700 then proceeds torestoring and verifying the public key through four steps, namely steps1 to 4, as described in more detail below (703). At step 1, a randomnumber k is generated within the range of [1, n−1] using a random numbergenerator (704). At step 2, the elliptic curve point is calculated as acoordinate point (x1, y1), which is calculated as [k] G (705). Here, [k]G represents k multiples of the base point G on the elliptic curve. Thedata type of x₁ is converted to an integer. After initializing the lowerbit v₀ and higher bit v₁ of the identification parameter to 0, adetermination is made as to whether x₁ is smaller than n, wherein n isthe degree of the base point G. In response to determining that x₁ is nosmaller than n, the lower bit v₀ of the identification parameter v isset to 0 (707A). In response to determining that x₁ is smaller than n,the lower bit v₀ of the identification parameter v is set to 1 (707B).Next, a determination is made as to whether y₁ is an odd number (708).In response to determining that y₁ is not an odd number, the higher bitv₁ of the identification parameter v is set to 0 (708A). In response todetermining that y₁ is an odd number, the higher bit v₁ of theidentification parameter v is set to 1 (708B). At step 3, the firstparameter r of the digital signature is computed as: r=(e+x1) mod n(709). A determination is then made as to whether r equals to 0 or r+kequals to n (710). If the determination is yes, process 700 returns tostep 1 (704). Otherwise, process 700 proceeds to step 4, in which thesecond parameter s of the digital signature is computed as:s=((1+d_(A))⁻¹ (k−r*d_(A))) mod n (711). Here, ⁻¹ represents an inverseoperation over modulo n, and mod n represents a modulo operation. Adetermination is then made as to where s equals 0 (712). If thedetermination is yes, process 700 returns to step 1 (704). Otherwise,process 700 proceeds to step 5, which returns the recoverable public keydigital signature (r, s, v) (713). Here, v={v₀, v₁}.

FIG. 8 is a diagram illustrating another example of a process 800 thatcan be executed for verifying a public key using the elliptic curvedigital signature algorithm (ECDSA) in accordance with embodiments ofthis specification. Initial input data is received that includeselliptic curve parameters, a public key published as P_(A), a hash valuee of the message m from user A (sender), a digital signature includingthe first parameter r and the second parameter s, and an identificationparameter v (802). A public key P_(A)′ is obtained and verified based,at least on the recoverable digital signature that includes the firstparameter r and the second parameter s, and an identification parameterv (803). In particular, the public key P_(A)′ is obtained by invokingthe public key recovery process as described above in FIG. 5 (804). Therecovered public key P_(A)′ is then compared with the published publickey P_(A) (805). In response to determining that the two matches, theverification is passed (805A). In response to determining that the twodo not match, the verification has failed (805B).

FIG. 9 depicts examples of modules of an apparatus 900 in accordancewith embodiments of this specification. The apparatus 900 can be anexample of an embodiment of a system for recovering and verifying apublic key. The apparatus 900 can correspond to the embodimentsdescribed above, and the apparatus 900 includes the following: anaccepting module 902 for receiving information encoding parameters forrecovering and verifying a public key, a generating module 904 forgenerating a recovered public key based on the parameters, and acomparing module 906 for comparing a published public key with therecovered public key to verify, for example, the published public key.The parameters include: parameters of an elliptic curve, a publishedpublic key, a hash value of a message, a digital signature, and anidentification parameter.

In an optional embodiment, the comparing module further performs thefollowing: in response to determining that the published public key andthe recovered public key match, determining that the published publickey is verified; and in response to determining that the publishedpublic key and the recovered public key do not match, determining thatthe published public key is not verified.

In an optional embodiment, the generating module further performs thefollowing: determining whether a first parameter included in the digitalsignature is within a bounded range, wherein the bounded range is from alower limit to an upper limit, wherein the lower limit is unity, whereinthe upper limit is characterized by the specific prime number includedin the parameters of the elliptic curve. In this optional embodiment,the generating module further performs the following: in response todetermining that the first parameter is not within the bounded range,returning an error message. In this optional embodiment, the generatingmodule further performs the following: verifying whether a secondparameter included in the digital signature is within the bounded range;and in response to determining that the second parameter is not withinthe bounded range, returning an error message.

In an optional embodiment, the generating module further performs thefollowing: computing a first coordinate parameter based, at least, onthe digital signature and the hash value, wherein the first coordinateparameter is computed by: subtracting the hash value from the firstparameter included by the digital signature to generate a subtractionresult, and performing a modulo operation on the subtract result toobtain the first coordinate parameter. In this optional embodiment, thegenerating module further performs: in response to determining that thefirst coordinate parameter equals unity, incrementing the firstcoordinate parameter by the specific prime number that characterizes theupper limit of the bounded range.

In an optional embodiment, the generating module further performs thefollowing: computing modulo prime square roots of an elliptic equationcharacterized by the parameters of the elliptic curve to determine asecond coordinate parameter, wherein the modulo prime square roots arecomputed for the elliptic equation instantiated by the first coordinateparameter. In this optional embodiment, the generating module furtherperforms the following: in response to determining that a particular bitof the identification parameter is unity, setting the second coordinateparameter as an odd member of the modulo prime square roots; and inresponse to determining that the particular bit of the identificationparameter is zero, setting the second coordinate parameter as an evenmember of the modulo prime square roots. In this optional embodiment,the generating module further performs: configuring a coordinate pointthat is specified by a pairing of the first coordinate parameter and thesecond coordinate parameter, wherein the recovered public key isgenerated based, at least, on the first and second parameters includedby the digital signature, the coordinate point specified by the pairingof the first coordinate parameter and the second coordinate parameter,and the parameters of the elliptic curve.

The system, apparatus, module, or unit illustrated in the previousembodiments can be implemented by using a computer chip or an entity, orcan be implemented by using a product having a certain function. Atypical embodiment device is a computer, and the computer can be apersonal computer, a laptop computer, a cellular phone, a camera phone,a smartphone, a personal digital assistant, a media player, a navigationdevice, an email receiving and sending device, a game console, a tabletcomputer, a wearable device, or any combination of these devices.

For an embodiment process of functions and roles of each module in theapparatus, references can be made to an embodiment process ofcorresponding steps in the previous method. Details are omitted here forsimplicity.

Because an apparatus embodiment basically corresponds to a methodembodiment, for related parts, references can be made to relateddescriptions in the method embodiment. The previously describedapparatus embodiment is merely an example. The modules described asseparate parts may or may not be physically separate, and partsdisplayed as modules may or may not be physical modules, may be locatedin one position, or may be distributed on a number of network modules.Some or all of the modules can be selected based on actual demands toachieve the objectives of the solutions of the specification. A personof ordinary skill in the art can understand and implement theembodiments of the present application without creative efforts.

Referring again to FIG. 9, it can be interpreted as illustrating aninternal functional module and a structure of a computing apparatus forencryption or decryption. An execution body in essence can be anelectronic device, and the electronic device includes the following: oneor more processors; and a memory configured to store an executableinstruction of the one or more processors.

This specification describes specific embodiments for restoring andverifying the public key with low overhead. By incorporating theidentification parameter v into the work flow for generating the digitalsignature on part of the sender, the public key associated with thedigital signature can be recovered, with reduced overhead, by thereceiver based on parameters received from the sender. In some cases,recovering the public key can be achieved by traversing variousinstances of the parameter v. These cases may incur an average of 1.5times the duration for operating a procedure of recovering a public keyto determine the parameter v. In other cases, the public key can berecovered based on a specific v value and the verification processinvolves only two comparisons. Such reduced overhead can bringsignificant impact to blockchain applications with intense encryptedtraffic between a sender and a receiver. The savings can be particularlysignificant when participants in a blockchain network initiate keyexchanges with each communicate session amongst them.

Described embodiments of the subject matter can include one or morefeatures, alone or in combination.

For example, in a first embodiment, a computer-implemented methodincludes: accepting information encoding parameters of an ellipticcurve, a published public key, a hash value of a message, a digitalsignature, and an identification parameter; generating a recoveredpublic key based on the parameters of the elliptic curve, the hash valueof the message, the digital signature, and the identification parameter;comparing the published public key and the recovered public key toverify the published public key. The foregoing and other describedembodiments can each, optionally, include one or more of the followingfeatures:

A first feature, combinable with any of the following features,specifies that generating the recovered public key comprises:determining whether a first parameter included in the digital signatureis within a bounded range. In this first feature, the bounded range isfrom a lower limit to an upper limit, wherein the lower limit is unity,wherein the upper limit is characterized by the specific prime numberincluded in the parameters of the elliptic curve. This first featurefurther specifies that: in response to determining that the firstparameter is not within the bounded range, returning an error message.In this optional embodiment, generating the recovered public keycomprises further performs the following: verifying whether a secondparameter included in the digital signature is within the bounded range;and in response to determining that the second parameter is not withinthe bounded range, returning an error message.

A second feature, combinable with any of the previous or followingfeatures, specifies that generating the recovered public key furthercomprises: computing a first coordinate parameter based, at least, onthe digital signature and the hash value. In this second feature, thefirst coordinate parameter is computed by: subtracting the hash valuefrom the first parameter included by the digital signature to generate asubtraction result, and performing a modulo operation on the subtractresult to obtain the first coordinate parameter. This second featurespecifies that generating the recovered public key further comprises: inresponse to determining that the first coordinate parameter equalsunity, incrementing the first coordinate parameter by the specific primenumber that characterizes the upper limit of the bounded range.

A third feature, combinable with any of the previous or followingfeatures, specifies that generating the recovered public key furthercomprises: computing modulo prime square roots of an elliptic equationcharacterized by the parameters of the elliptic curve to determine asecond coordinate parameter. In this third feature, the modulo primesquare roots are computed for the elliptic equation instantiated by thefirst coordinate parameter. This third feature specifies that generatingthe recovered public key further comprises: in response to determiningthat a particular bit of the identification parameter is unity, settingthe second coordinate parameter as an odd member of the modulo primesquare roots; and in response to determining that the particular bit ofthe identification parameter is zero, setting the second coordinateparameter as an even member of the modulo prime square roots. This thirdfeature specifies that generating the recovered public key furthercomprises: configuring a coordinate point that is specified by a pairingof the first coordinate parameter and the second coordinate parameter,wherein the recovered public key is generated based, at least, on thefirst and second parameters included by the digital signature, thecoordinate point specified by the pairing of the first coordinateparameter and the second coordinate parameter, and the parameters of theelliptic curve.

A fourth feature, combinable with any of the previous or followingfeatures, specifies that generating the recovered public key furthercomprises: in response to determining that the published public key andthe recovered public key match, determining that the published publickey is verified; and in response to determining that the publishedpublic key and the recovered public key do not match, determining thatthe published public key is not verified.

Embodiments of the subject matter and the actions and operationsdescribed in this specification can be implemented in digital electroniccircuitry, in tangibly-embodied computer software or firmware, incomputer hardware, including the structures disclosed in thisspecification and their structural equivalents, or in combinations ofone or more of them. Embodiments of the subject matter described in thisspecification can be implemented as one or more computer programs, e.g.,one or more modules of computer program instructions, encoded on acomputer program carrier, for execution by, or to control the operationof, data processing apparatus. For example, a computer program carriercan include one or more computer-readable storage media that haveinstructions encoded or stored thereon. The carrier may be a tangiblenon-transitory computer-readable medium, such as a magnetic, magnetooptical, or optical disk, a solid state drive, a random access memory(RAM), a read-only memory (ROM), or other types of media. Alternatively,or in addition, the carrier may be an artificially generated propagatedsignal, e.g., a machine-generated electrical, optical, orelectromagnetic signal that is generated to encode information fortransmission to suitable receiver apparatus for execution by a dataprocessing apparatus. The computer storage medium can be or be part of amachine-readable storage device, a machine-readable storage substrate, arandom or serial access memory device, or a combination of one or moreof them. A computer storage medium is not a propagated signal.

A computer program, which may also be referred to or described as aprogram, software, a software application, an app, a module, a softwaremodule, an engine, a script, or code, can be written in any form ofprogramming language, including compiled or interpreted languages, ordeclarative or procedural languages; and it can be deployed in any form,including as a stand-alone program or as a module, component, engine,subroutine, or other unit suitable for executing in a computingenvironment, which environment may include one or more computersinterconnected by a data communication network in one or more locations.

A computer program may, but need not, correspond to a file in a filesystem. A computer program can be stored in a portion of a file thatholds other programs or data, e.g., one or more scripts stored in amarkup language document, in a single file dedicated to the program inquestion, or in multiple coordinated files, e.g., files that store oneor more modules, sub programs, or portions of code.

Processors for execution of a computer program include, by way ofexample, both general- and special-purpose microprocessors, and any oneor more processors of any kind of digital computer. Generally, aprocessor will receive the instructions of the computer program forexecution as well as data from a non-transitory computer-readable mediumcoupled to the processor.

The term “data processing apparatus” encompasses all kinds ofapparatuses, devices, and machines for processing data, including by wayof example a programmable processor, a computer, or multiple processorsor computers. Data processing apparatus can include special-purposelogic circuitry, e.g., an FPGA (field programmable gate array), an ASIC(application specific integrated circuit), or a GPU (graphics processingunit). The apparatus can also include, in addition to hardware, codethat creates an execution environment for computer programs, e.g., codethat constitutes processor firmware, a protocol stack, a databasemanagement system, an operating system, or a combination of one or moreof them.

The processes and logic flows described in this specification can beperformed by one or more computers or processors executing one or morecomputer programs to perform operations by operating on input data andgenerating output. The processes and logic flows can also be performedby special-purpose logic circuitry, e.g., an FPGA, an ASIC, or a GPU, orby a combination of special-purpose logic circuitry and one or moreprogrammed computers.

Computers suitable for the execution of a computer program can be basedon general or special-purpose microprocessors or both, or any other kindof central processing unit. Generally, a central processing unit willreceive instructions and data from a read only memory or a random accessmemory or both. Elements of a computer can include a central processingunit for executing instructions and one or more memory devices forstoring instructions and data. The central processing unit and thememory can be supplemented by, or incorporated in, special-purpose logiccircuitry.

Generally, a computer will also include, or be operatively coupled toreceive data from or transfer data to one or more storage devices. Thestorage devices can be, for example, magnetic, magneto optical, oroptical disks, solid state drives, or any other type of non-transitory,computer-readable media. However, a computer need not have such devices.Thus, a computer may be coupled to one or more storage devices, such as,one or more memories, that are local and/or remote. For example, acomputer can include one or more local memories that are integralcomponents of the computer, or the computer can be coupled to one ormore remote memories that are in a cloud network. Moreover, a computercan be embedded in another device, e.g., a mobile telephone, a personaldigital assistant (PDA), a mobile audio or video player, a game console,a Global Positioning System (GPS) receiver, or a portable storagedevice, e.g., a universal serial bus (USB) flash drive, to name just afew.

Components can be “coupled to” each other by being commutatively such aselectrically or optically connected to one another, either directly orvia one or more intermediate components. Components can also be “coupledto” each other if one of the components is integrated into the other.For example, a storage component that is integrated into a processor(e.g., an L2 cache component) is “coupled to” the processor.

To provide for interaction with a user, embodiments of the subjectmatter described in this specification can be implemented on, orconfigured to communicate with, a computer having a display device,e.g., a LCD (liquid crystal display) monitor, for displaying informationto the user, and an input device by which the user can provide input tothe computer, e.g., a keyboard and a pointing device, e.g., a mouse, atrackball or touchpad. Other kinds of devices can be used to provide forinteraction with a user as well; for example, feedback provided to theuser can be any form of sensory feedback, e.g., visual feedback,auditory feedback, or tactile feedback; and input from the user can bereceived in any form, including acoustic, speech, or tactile input. Inaddition, a computer can interact with a user by sending documents toand receiving documents from a device that is used by the user; forexample, by sending web pages to a web browser on a user's device inresponse to requests received from the web browser, or by interactingwith an app running on a user device, e.g., a smartphone or electronictablet. Also, a computer can interact with a user by sending textmessages or other forms of message to a personal device, e.g., asmartphone that is running a messaging application, and receivingresponsive messages from the user in return.

This specification uses the term “configured to” in connection withsystems, apparatus, and computer program components. For a system of oneor more computers to be configured to perform particular operations oractions means that the system has installed on it software, firmware,hardware, or a combination of them that in operation cause the system toperform the operations or actions. For one or more computer programs tobe configured to perform particular operations or actions means that theone or more programs include instructions that, when executed by dataprocessing apparatus, cause the apparatus to perform the operations oractions. For special-purpose logic circuitry to be configured to performparticular operations or actions means that the circuitry has electroniclogic that performs the operations or actions.

While this specification contains many specific embodiment details,these should not be construed as limitations on the scope of what isbeing claimed, which is defined by the claims themselves, but rather asdescriptions of features that may be specific to particular embodiments.Certain features that are described in this specification in the contextof separate embodiments can also be realized in combination in a singleembodiment. Conversely, various features that are described in thecontext of a single embodiments can also be realized in multipleembodiments separately or in any suitable subcombination. Moreover,although features may be described above as acting in certaincombinations and even initially be claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claim may be directed to a subcombination orvariation of a subcombination.

Similarly, while operations are depicted in the drawings and recited inthe claims in a particular order, this should not be understood asrequiring that such operations be performed in the particular ordershown or in sequential order, or that all illustrated operations beperformed, to achieve desirable results. In certain circumstances,multitasking and parallel processing may be advantageous. Moreover, theseparation of various system modules and components in the embodimentsdescribed above should not be understood as requiring such separation inall embodiments, and it should be understood that the described programcomponents and systems can generally be integrated together in a singlesoftware product or packaged into multiple software products.

Particular embodiments of the subject matter have been described. Otherembodiments are within the scope of the following claims. For example,the actions recited in the claims can be performed in a different orderand still achieve desirable results. As one example, the processesdepicted in the accompanying figures do not necessarily require theparticular order shown, or sequential order, to achieve desirableresults. In some cases, multitasking and parallel processing may beadvantageous.

What is claimed is:
 1. A computer-implemented method for recovering andverifying a public key, the computer-implemented method comprising:accepting information encoding parameters of an elliptic curve, apublished public key, a hash value of a message, a digital signature,and an identification parameter; generating a recovered public key basedon the parameters of the elliptic curve, the hash value of the message,the digital signature, and the identification parameter, whereingenerating the recovered public key comprises: determining whether afirst parameter included in the digital signature is within a boundedrange, wherein the bounded range is from a lower limit to an upperlimit, wherein the lower limit is unity, and wherein the upper limit ischaracterized by a specific prime number included in the parameters ofthe elliptic curve, computing a first coordinate parameter based, atleast, on the digital signature and the hash value, comprising:subtracting the hash value from the first parameter included by thedigital signature to generate a subtraction result, and performing amodulo operation on the subtract result to obtain the first coordinateparameter, in response to determining that the first coordinateparameter equals unity, incrementing the first coordinate parameter bythe specific prime number that characterizes the upper limit of thebounded range, and computing modulo prime square roots of an ellipticequation characterized by the parameters of the elliptic curve todetermine a second coordinate parameter, wherein the modulo prime squareroots are computed for the elliptic equation instantiated by the firstcoordinate parameter; and comparing the published public key and therecovered public key to verify the published public key.
 2. Thecomputer-implemented method of claim 1, further comprising: in responseto determining that the first parameter is not within the bounded range,returning an error message.
 3. The computer-implemented method of claim1, wherein generating the recovered public key further comprises:verifying whether a second parameter included in the digital signatureis within the bounded range; and in response to determining that thesecond parameter is not within the bounded range, returning an errormessage.
 4. The computer-implemented method of claim 1, furthercomprising: in response to determining that a particular bit of theidentification parameter is unity, setting the second coordinateparameter as an odd member of the modulo prime square roots; and inresponse to determining that the particular bit of the identificationparameter is zero, setting the second coordinate parameter as an evenmember of the modulo prime square roots.
 5. The computer-implementedmethod of claim 1, further comprising: configuring a coordinate pointthat is specified by a pairing of the first coordinate parameter and thesecond coordinate parameter, wherein the recovered public key isgenerated based, at least, on the first parameter and the secondparameter included by the digital signature, the coordinate pointspecified by the pairing of the first coordinate parameter and thesecond coordinate parameter, and the parameters of the elliptic curve.6. The computer-implemented method of claim 1, wherein comparing thepublished public key and the recovered public key to verify thepublished public key further comprises: in response to determining thata match exists between the published public key and the recovered publickey, determining that the published public key is verified; and inresponse to determining that a match does not exist between thepublished public key and the recovered public key, determining that thepublished public key is not verified.
 7. A non-transitory,computer-readable storage medium storing one or more instructionsexecutable by a computer system to perform operations for recovering andverifying a public key, the operations comprising: accepting informationencoding parameters of an elliptic curve, a published public key, a hashvalue of a message, a digital signature, and an identificationparameter; generating a recovered public key based on the parameters ofthe elliptic curve, the hash value of the message, the digitalsignature, and the identification parameter, wherein generating therecovered public key comprises: determining whether a first parameterincluded in the digital signature is within a bounded range, wherein thebounded range is from a lower limit to an upper limit, wherein the lowerlimit is unity, and wherein the upper limit is characterized by aspecific prime number included in the parameters of the elliptic curve,computing a first coordinate parameter based, at least, on the digitalsignature and the hash value, comprising: subtracting the hash valuefrom the first parameter included by the digital signature to generate asubtraction result, and performing a modulo operation on the subtractresult to obtain the first coordinate parameter, in response todetermining that the first coordinate parameter equals unity,incrementing the first coordinate parameter by the specific prime numberthat characterizes the upper limit of the bounded range, and computingmodulo prime square roots of an elliptic equation characterized by theparameters of the elliptic curve to determine a second coordinateparameter, wherein the modulo prime square roots are computed for theelliptic equation instantiated by the first coordinate parameter; andcomparing the published public key and the recovered public key toverify the published public key.
 8. The non-transitory,computer-readable storage medium of claim 7, wherein the operationsfurther comprise: in response to determining that the first parameter isnot within the bounded range, returning an error message.
 9. Thenon-transitory, computer-readable storage medium of claim 7, whereingenerating the recovered public key further comprises: verifying whethera second parameter included in the digital signature is within thebounded range; and in response to determining that the second parameteris not within the bounded range, returning an error message.
 10. Thenon-transitory, computer-readable storage medium of claim 7, theoperations further comprising: in response to determining that aparticular bit of the identification parameter is unity, setting thesecond coordinate parameter as an odd member of the modulo prime squareroots; and in response to determining that the particular bit of theidentification parameter is zero, setting the second coordinateparameter as an even member of the modulo prime square roots.
 11. Thenon-transitory, computer-readable storage medium of claim 7, theoperations further comprising: configuring a coordinate point that isspecified by a pairing of the first coordinate parameter and the secondcoordinate parameter, wherein the recovered public key is generatedbased, at least, on the first parameter and the second parameterincluded by the digital signature, the coordinate point specified by thepairing of the first coordinate parameter and the second coordinateparameter, and the parameters of the elliptic curve.
 12. Thenon-transitory, computer-readable storage medium of claim 7, whereincomparing the published public key and the recovered public key toverify the published public key further comprises: in response todetermining that a match exists between the published public key and therecovered public key, determining that the published public key isverified; and in response to determining that a match does not existbetween the published public key and the recovered public key,determining that the published public key is not verified.
 13. Acomputer-implemented system, comprising: one or more computers; and oneor more computer memory devices interoperably coupled with the one ormore computers and having tangible, non-transitory, machine-readablemedia storing one or more instructions that, when executed by the one ormore computers, perform one or more operations for recovering andverifying a public key, the operations comprising: accepting informationencoding parameters of an elliptic curve, a published public key, a hashvalue of a message, a digital signature, and an identificationparameter, generating a recovered public key based on the parameters ofthe elliptic curve, the hash value of the message, the digitalsignature, and the identification parameter; and wherein generating therecovered public key comprises: determining whether a first parameterincluded in the digital signature is within a bounded range, wherein thebounded range is from a lower limit to an upper limit, wherein the lowerlimit is unity, and wherein the upper limit is characterized by aspecific prime number included in the parameters of the elliptic curve,computing a first coordinate parameter based, at least, on the digitalsignature and the hash value, comprising: subtracting the hash valuefrom the first parameter included by the digital signature to generate asubtraction result, and performing a modulo operation on the subtractresult to obtain the first coordinate parameter, in response todetermining that the first coordinate parameter equals unity,incrementing the first coordinate parameter by the specific prime numberthat characterizes the upper limit of the bounded range, and computingmodulo prime square roots of an elliptic equation characterized by theparameters of the elliptic curve to determine a second coordinateparameter, wherein the modulo prime square roots are computed for theelliptic equation instantiated by the first coordinate parameter, andcomparing the published public key and the recovered public key toverify the published public key.
 14. The system of claim 13, wherein theoperations further comprise: in response to determining that the firstparameter is not within the bounded range, returning an error message.15. The system of claim 13, wherein generating the recovered public keyfurther comprises: verifying whether a second parameter included in thedigital signature is within the bounded range; and in response todetermining that the second parameter is not within the bounded range,returning an error message.
 16. The system of claim 13, the operationsfurther comprising: in response to determining that a particular bit ofthe identification parameter is unity, setting the second coordinateparameter as an odd member of the modulo prime square roots; and inresponse to determining that the particular bit of the identificationparameter is zero, setting the second coordinate parameter as an evenmember of the modulo prime square roots.
 17. The system of claim 13, theoperations further comprising: configuring a coordinate point that isspecified by a pairing of the first coordinate parameter and the secondcoordinate parameter, wherein the recovered public key is generatedbased, at least, on the first parameter and the second parameterincluded by the digital signature, the coordinate point specified by thepairing of the first coordinate parameter and the second coordinateparameter, and the parameters of the elliptic curve.
 18. The system ofclaim 13, wherein comparing the published public key and the recoveredpublic key to verify the published public key further comprises: inresponse to determining that a match exists between the published publickey and the recovered public key, determining that the published publickey is verified; and in response to determining that a match does notexist between the published public key and the recovered public key,determining that the published public key is not verified.